Program Purpose

Maintaining top-notch security online is a community effort and a high priority for Dailymotion. We're lucky to have a vibrant group of independent security researchers who volunteer their time to help us spot potential issues. To recognize the efforts of independent security researchers and the important role they play in keeping Dailymotion safe for everyone, we offer a bounty for reporting certain qualifying security vulnerabilities. Please review the following rules before you report a vulnerability. By participating in this Program, you agree to be bound by these rules.

Rewards

Dailymotion will provide rewards to eligible reporters of qualifying vulnerabilities (see Scope, Qualifying and Non-Qualifying Vulnerabilities below). Dailymotion will determine in its sole discretion whether a reward should be granted and the amount of the reward.

Reward amounts will vary depending upon the severity of the reported vulnerability, which itself will be established based on an evaluation of the potential business impact resulting from a malevolent exploitation of the vulnerability. In other words, reports failing to demonstrate a tangible attack scenario and opportunity are unlikely to be rewarded.

Please keep in mind that whatever you discover, we'll most likely be asking you to demonstrate what you believe is a vulnerability. Because we evaluate reports based on business risks and tangible impacts, we don't reward theoretical vulnerabilities (the ones which are almost exploitable, but just "not quite there") — although we are always interested in reading about them! For example, the exposure of our public web site's JWT token for our GraphQL API is not a security issue. We know it's there, in your browser, but you can't do anything with it to attack other people's data (or, if you can, do demonstrate your findings).

The rating-to-CVSS score equivalence outlined in the following table for in-scope components is provided indicatively. Our minimum reward is 70 Euros.

An SSRF will not score as Critical unless you're able to demonstrate a critical business impact (please coordinate with us).

This is not a contest or competition. Rewards may be provided on an ongoing basis as long as this program is active.

In the event that we choose not to reward a vulnerability with no demonstrable business impact (for example an XSS on a domain that does not have valuable cookies), we reserve the right to fix the issue in order to avoid further equivalent submissions by other researchers.

Note concerning XSS and CSRF vulnerabilities:

We will tend to rate user session-related XSS and CSRF vulnerabilities, whether stored or reflected, with a low impact. For a (very) significant majority, users are unauthenticated and the chances of successfully exploiting such vulnerabilities are therefore minimized. Typically, a reflected XSS vulnerability on our main domain and implying the theft of user cookies on www. or *.dailymotion.com will be rated as Low. Please note that, if you are able to demonstrate an ability to exploit these vulnerabilities in creative ways (possibly combined with other vulnerabilities found by yourself) so as to provably increase the business impact, we will consider this final impact to evaluate the severity.

Scope

The sites and applications hosted under one of the following domains are within the scope for this Program:

• *.dailymotion.com
• *.api.dailymotion.com
• *.dmcdn.net
• *.dm.gg
• *.dmxleo.com
• ifttt-adaptor.pub.kube.dm.gg
• AS41690
• our official Dailymotion applications on the Google Play Store, Apple App Store, and PlayStation and Microsoft stores.

Vulnerabilities reported on other services or applications owned by Dailymotion are currently not eligible for monetary reward and will be handled as a responsible disclosure. As they come into scope, they will be added to this section. Notably, resources hosted under ondailymotion.com domain are not in the scope of our program.

Note concerning our different user types

We have several levels of privileges on the product: unauthenticated user, authenticated user, partner, partner with a verification badge. We invite you to go and explore the attack surface that is specific with each of these profiles as they are all in-scope.

Partner accounts are only granted to users after they have accepted the terms of our Dailymotion Partner Program Agreement. Security researchers interested in digging is this part of our perimeter can open such an account by signing up on our partner portal.

If you want to test the features exposed only to partners with a verification badge, please file a request on security@dailymotion.com so as to be provided with a verification badge (we'll then provide you with a temporary, dedicated partner account). For practical reasons, Dailymotion reserves the right to evaluate and deny such requests on a case by case basis; typically, we will only consider requests from hunters who have previously reported at least one qualifying vulnerability rated as Medium or more.

Highlight on Tartiflette, our home-grown GraphQL engine

Tartiflette is the new GraphQL engine which runs our API-centric platform. We are happily sharing it with the community - of course it's open source - and we are very keen in having security researchers look into it to find potential flaws and security issues, from more angles: source code, execution or fuzzing.

You can find the source code on GitHub.

Eligibility for Bounty

We are very thankful to everyone who submits valid reports which help us improve the security of Dailymotion. However, only those that meet the following eligibility criteria may receive a monetary reward under this Program:

• You must be the first reporter of a valid vulnerability (any duplicate reports will not be rewarded).
• The vulnerability must be a qualifying vulnerability associated with a component, site or application in Scope (see Scope, Qualifying and Non-Qualifying Vulnerabilities below).
• You must send a clear textual description of the report, notably including steps to reproduce the issue, as well what you see as possible attack scenario(s) and opportunity; please include attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of Dailymotion or one of its contractors;
• The submission must be received after the launch of this Policy (the date of which is stipulated at the bottom).
• You must be registered and KYC-verified on Yes We Hack.

We intend to respond and resolve reported issues as quickly as possible. Depending on our workload, the severity of the issue, but also the clarity and comprehensiveness of your report, you can expect an update from us within 96 hours of the report's initial submission date.

Note that posting details or conversations about the report or posting details that reflect negatively on our Program or the Dailymotion brand, will result in immediate disqualification from ongoing and upcoming reward programs.

You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.

Dailymotion reserves the right to modify the terms of this Program or terminate this Program at any time.

Reports of leaks and exposed credentials

We are open to some types of reports related to exposed secrets, credentials or information.

Please pay attention to our list of Qualifying/Non-Qualifying vulnerabilities, as well as our Scope and the following rules.

In order not to encourage dark and grey economies, in particular the purchase, resale and trade of identifiers or stolen information, as well as all types of dangerous behavior (e.g. social engineering, ...), we will not accept or reward any report based on information whose source is not the result of failure on the part of our organization or one of our employees/service providers.

Eligible reports

Reports of exposed secrets, credentials and sensitive information will be considered eligible if it complies with the following:

• The source of exposure/leak is under MyCompany’s control, directly or indirectly.

e.g. stolen information or bundled information from a random source is not eligible.

• The exposed information has been verified (or tested) and confirmed

If you identify a source (under our control) that is leaking multiple data, we kindly ask you to report it in a single report and we will consider the impact based on the nature and depth of the exposed data.

To summarize our policy, you may refer to this table:

Important precautions and limitations

As a complement to the Program’s rules and testing policy :

• DO NOT alter compromised accounts by creating, deleting or modifying any data

• DO NOT use compromised accounts to search for post-auth vulnerabilities (they won’t be eligible anyway)

• DO NOT include Personally Identifiable Information (PII) in your report and please REDACT/OBFUSCATE the PII that is part of your PoC (screenshot, server response, JSON file, etc.) as much as possible.

• In case of exposed credentials or secrets, limit yourself to verifying the credentials validity

• In case of sensitive information leak, DO NOT extract/copy every document or data that is exposed and limit yourself to describe and list what is exposed.

Ground Rules

In order to avoid any confusion between good-faith security research and fraudulent or malicious behaviors, we ask you to comply with the following rules when looking for, testing and reporting vulnerabilities:

• Take all reasonable measures to only interact with test accounts you have created on the platform;
• Do not use physical attacks on our security, social engineering, distributed denial of service, spam or applications of third parties;
• If you manage to gain unauthorized access to any data or systems, limit the amount of data or privileges you gain access to, to only the minimum required for effectively demonstrating a proof of concept. Also, cease testing and submit a report immediately if you encounter any personally identifiable information or proprietary information during testing. When in doubt, we will rate the vulnerability severity based on the worst case scenario;
• Avoid violating the privacy of others, disrupting our systems, destroying data, or harming user experience;
• Report any vulnerability you’ve discovered promptly (i.e. within days, not weeks). Do not take advantage of the vulnerability or problem;
• Only use the specified communication channels listed below to discuss or report vulnerability information to us and provide sufficient information so we will be able to resolve the vulnerability as quickly as possible (see Section 8 below for further information);
• Do not disclose vulnerabilities you've discovered publicly or to any third party until we have formally authorized you to do so in writing;
• Obviously do not engage in any fraudulent exploitation of the vulnerability, in any form, with us, our partners or our users.

Legal Matters

When conducting vulnerability research in good faith and in accordance with the terms specified in this Policy, we consider this research to be:

• Lawful and in accordance with applicable state laws relating to computer fraud. We will not bring any claim against you for circumvention of technology controls;
• Exempt from restrictions in our Terms of Use only to the extent that they would interfere with conducting security research.

We won’t take legal action against, suspend, or terminate access to the Service for those who discover and report security vulnerabilities responsibly. Dailymotion reserves all of its legal rights in the event of any noncompliance.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please reach out to security@dailymotion.com before going any further.